Skip to content
GitLab
Closed
Issue created by Ghost User@ghost

rpz doesn't work for domain proxy.ru and subdomains

Summary

Such an entry in the rpz zone "proxy.ru A 1.1.1.1" does not return the correct result.

Such an entry in the rpz zone "proxi.ru A 1.1.1.1" returns the correct result.

Such an entry in the rpz zone "proxy.org A 1.1.1.1" returns the correct result.

BIND version used

Different versions for different operating systems:

BIND 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 built with '--build=ppc64-redhat-linux-gnu' '--host=ppc64-redhat-linux-gnu' '--target=ppc64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--enable-filter-aaaa' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--enable-rpz-nsip' '--enable-rpz-nsdname' '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' '--disable-atomic' '--enable-fixed-rrset' 'build_alias=ppc64-redhat-linux-gnu' 'host_alias=ppc64-redhat-linux-gnu' 'target_alias=ppc64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mminimal-toc' 'CPPFLAGS= -DDIG_SIGCHASE' using OpenSSL version: OpenSSL 1.0.1e 11 Feb 2013 using libxml2 version: 2.7.6

BIND 9.9.4-RedHat-9.9.4-73.el7_6 (Extended Support Version) id:8f9657aa built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--with-geoip' '--enable-ipv6' '--enable-filter-aaaa' '--enable-rrl' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--enable-exportlib' '--with-export-libdir=/usr/lib64' '--with-export-includedir=/usr/include' '--includedir=/usr/include/bind9' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--enable-fixed-rrset' '--with-tuning=large' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS= -DDIG_SIGCHASE' using OpenSSL version: OpenSSL 1.0.2k 26 Jan 2017 using libxml2 version: 2.9.1

BIND 9.10.3-P4-Ubuntu id:ebd72b3 built by make with '--prefix=/usr' '--mandir=/usr/share/man' '--libdir=/usr/lib/x86_64-linux-gnu' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so' 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE' 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2 -DDIG_SIGCHASE' compiled by GCC 5.4.0 20160609 compiled with OpenSSL version: OpenSSL 1.0.2g 1 Mar 2016 linked to OpenSSL version: OpenSSL 1.0.2g 1 Mar 2016 compiled with libxml2 version: 2.9.3 linked to libxml2 version: 20903

Steps to reproduce

Install the bind9 with default settings.

Add a rpz to the file named.conf

Create the correct file with rpz and add such lines to it:

proxy.org       A       1.1.1.1
proxi.ru        A       1.1.1.1
proxy.ru        A       1.1.1.1
*.proxy.org     A       2.2.2.2
*.proxi.ru      A       2.2.2.2
*.proxy.ru      A       2.2.2.2

What is the current bug behavior?

# nslookup proxy.ru 127.0.0.1
Server:         127.0.0.1
Address:        127.0.0.1#53

** server can't find proxy.ru: NXDOMAIN

# nslookup qq.proxy.ru 127.0.0.1
Server:         127.0.0.1
Address:        127.0.0.1#53

** server can't find qq.proxy.ru: NXDOMAIN

What is the expected correct behavior?

# nslookup proxy.ru 127.0.0.1
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   proxy.ru
Address: 1.1.1.1

# nslookup qq.proxy.ru 127.0.0.1
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   qq.proxy.ru
Address: 2.2.2.2

Relevant configuration files

named.conf

rpz.zone

Relevant logs and/or screenshots

(Paste any relevant logs - please use code blocks (```) to format console output, logs, and code, as it's very hard to read otherwise.)

Possible fixes

(If you can, link to the line of code that might be responsible for the problem.)

Edited by Ghost User